Hijack This log - Thanks Tom

Logfile of HijackThis v1.98.2
Scan saved at 4:19:22 PM, on 10/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Plaxo\2.0.4.59\InstallStub.exe
C:\win32app\cpms7\Printkey.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50186
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://csiis5
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50186
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50186
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ALDOT
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [yup] C:\WINDOWS\sysprep\NetPolicy.htm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.0.4.59\InstallStub.exe -a
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: nt_connectr.bat
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - d:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://csiis5
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc/place/GOLF/SCGpws-c2/5.1.2.150/lib/quicksilver.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/181fe440af4c1cf7f119/netzip/RdxIE2.cab
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093985497706
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50186/QDow_AS2.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dot.state.al.us
O17 - HKLM\Software\..\Telephony: DomainName = dot.state.al.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{32C0E33D-9D45-4739-98BE-2C314CF47F21}: Domain = dot.state.al.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{32C0E33D-9D45-4739-98BE-2C314CF47F21}: NameServer = 10.254.52.9,10.254.10.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3710D6-9316-46D0-9F06-45DE4718703C}: Domain = dot.state.al.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3710D6-9316-46D0-9F06-45DE4718703C}: NameServer = 10.128.10.2,10.254.52.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dot.state.al.us
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

Hi JerryHiggins,

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

Go to Start > Run > Services.msc

Scroll down to the WinTools for IE service, stop it, and set it to 'Disabled'.

Now restart your computer, go to Start > Run > Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

Doubleclick that "Services" subkey in order to expand the branch, locate the WinTools subkey, rightclick it, and choose 'delete' from the context menu.

Next...

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Please press Ctrl-Alt-Delete and open Task Manager. End the following process by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

WToolsA.exe
TBPS.exe
PIB.exe
wintoolsS
WSup.exe

Then....

Open a command prompt by click on Start, then Run, and typing the following based on your operating system:

1. For Windows 98/ME/95 type command.exe and press the OK button.
2. For Windows XP/2000/NT type cmd.exe and press the OK button.

You will now be in a command prompt. Type regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll and press the enter key on your keyboard.

Type exit to close the command prompt.

Next....

Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50186
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50186
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50186
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/181fe440af4c1cf7f119/netzip/RdxIE2.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50186/QDow_AS2.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

These are resource hogs that can be safely fixed also:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Unless you have the Spybot Search & Destroy option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Is this valid to the best of your knowledge? I know the program Sysprep is...

O4 - HKLM\..\RunOnce: [yup] C:\WINDOWS\sysprep\NetPolicy.htm

How about this one?

O4 - Global Startup: nt_connectr.bat

Next....

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Delete the following folders:

C:\PROGRA~1\Toolbar\
C:\PROGRA~1\COMMON~1\WinTools\

Next....

Open My Computer, browse to C:\documents and settings\User Name(repeat for all users)\local settings\temp folder and delete all files and folders in it.

Open My Computer, browse to C:\Windows\Temp folder and delete all files and folders in it.

Open Internet Explorer click Tools > Internet Options > General. Check "delete all offline content", click "Delete Files" then Click OK.

Empty your Recycle Bin.

Reboot normally and post a fresh HijackThis log.

Tom

"Wintools for IE" is not showing up in my Services list.

Thanks,

Jerry

Jerry,

Ok, just follow the rest of the fix posted.

Tom

Tom,

When I try to boot into Safe mode I can't log on because it doesn't display the box for the domain name and I get the error

"The system could not log you on. Make sure your user name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case"

Thanks for your help.

Jerry

Hi Jerry,

You can complete the steps in normal mode. You just have a better chance for complete removal in safe mode.

Tom

Tom,

When I select the item in task manager and click "End process" nothing happens. The items persist in process list.

Thanks,

Jerry

Make sure you have killed the service and removed the registry entry as posted earlier:

Go to Start > Run > Services.msc

Scroll down to the WinTools for IE service, stop it, and set it to 'Disabled'.

Now restart your computer, go to Start > Run > Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

Doubleclick that "Services" subkey in order to expand the branch, locate the WinTools subkey, rightclick it, and choose 'delete' from the context menu.

Next...

I'd like you you download Pocket Killbox. Download it to your Desktop. Run the program, browse to one of the files listed (you may have to search for it first), click the Delete on Reboot button. Then press Delete file (The Red X). Please repeat for each file listed and reboot your computer.

WToolsA.exe
TBPS.exe
PIB.exe
wintoolsS
WSup.exe

Be careful this is a powerful tool and is unforgiving once you instruct it to delete something.

http://download.broadbandmedic.com/Killbox.exe

Tom

Tom,

None of the items in bold are on my system

Scroll down to the WinTools for IE service, stop it, and set it to 'Disabled'.

Now restart your computer, go to Start > Run > Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

Doubleclick that "Services" subkey in order to expand the branch, locate the WinTools subkey, rightclick it, and choose 'delete' from the context menu.

Do you still want me to run killbox?

Thanks,

Jerry

Yes, just continue with killing those running processes (with Killbox) and complete the rest of the fix I originally posted.

Tom

Tom,

I managed to finally get all of the junk deleted out of c:\documents and settings\... temp\

But killbox is not killing the processes. When I check "delete on reboot" it doesn't work.

Thanks,

Jerry

Ok let's try this:

Please go to Start > Control Panel > Add/Remove programs. Look for Wintools and uninstall it. There may be more than one listed so remove them all!

Next, follow the instructions on this page for an alternate removal method. They suggest booting into safe mode (I understand you can't). See if you can remove the registry enrties in normal mode. They suggest you disable System Restore, I say don't until your log turns up clean... just skip that step.

http://www.pchell.com/support/wintools.shtml

Tom

Tom,

On my lastest attempt at this I ran Killbox and chose "Delete on reboot" for c:\program files\common files\Wintools for Wsup.exe, WToolsA.exe, WToolsB.dll and WToolsS.exe. I then opened HijackThis and removed those corresponding entries.

When I rebooted nothing had changed.

Thanks,

Jerry

Tom,

I didn't see your last post before I posted last. I did get WinTools removed from Add/Remove programs so let me try the rest of what you gave me and I'll get back to you.

For the first time I now do not see WToolsA.exe in task manager. Hallelujah!

Thanks,

Jerry